Jar Maven Signing - GnuPG and sha256 (#22217)

### Description  Jar maven signing: - GnuPG - sha256. Jar packages artifacts: - onnxruntime-android-full-aar - onnxruntime-java - onnxruntime-java-gpu ### Motivation and Context  Previously, it is manually signed. Goal: make it automatically.
microsoft · Sep 27, 2024 · b81e76b · b81e76b
1 parent ff8a48e
commit b81e76b
Show file tree

Hide file tree

Showing 5 changed files with 137 additions and 0 deletions.
diff --git a/tools/ci_build/github/azure-pipelines/stages/java-cuda-packaging-stage.yml b/tools/ci_build/github/azure-pipelines/stages/java-cuda-packaging-stage.yml
@@ -58,6 +58,10 @@ stages:
         showWarnings: true
         workingDirectory: '$(Build.BinariesDirectory)\java-artifact'
 
+    - template: ../templates/jar-maven-signing-win.yml
+      parameters:
+        JarFileDirectory: '$(Build.BinariesDirectory)\java-artifact\onnxruntime-java-win-x64'
+
     - task: CopyFiles@2
       displayName: 'Copy Java Files to Artifact Staging Directory'
       inputs:

diff --git a/tools/ci_build/github/azure-pipelines/templates/android-java-api-aar.yml b/tools/ci_build/github/azure-pipelines/templates/android-java-api-aar.yml
@@ -102,6 +102,10 @@ jobs:
             /bin/bash /onnxruntime_src/tools/ci_build/github/android/build_aar_and_copy_artifacts.sh
       workingDirectory: $(Build.SourcesDirectory)
 
+  - template: jar-maven-signing-linux.yml
+    parameters:
+      JarFileDirectory: '$(artifacts_directory)'
+
   - task: PublishBuildArtifacts@1
     inputs:
       pathtoPublish: '$(artifacts_directory)'

diff --git a/tools/ci_build/github/azure-pipelines/templates/c-api-cpu.yml b/tools/ci_build/github/azure-pipelines/templates/c-api-cpu.yml
@@ -236,6 +236,10 @@ stages:
         showWarnings: true
         workingDirectory: '$(Build.BinariesDirectory)\java-artifact'
 
+    - template: jar-maven-signing-win.yml
+      parameters:
+        JarFileDirectory: '$(Build.BinariesDirectory)\java-artifact\onnxruntime-java-win-x64'
+
     - task: CopyFiles@2
       displayName: 'Copy Java Files to Artifact Staging Directory'
       inputs:

diff --git a/tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-linux.yml b/tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-linux.yml
@@ -0,0 +1,55 @@
+parameters:
+  - name: JarFileDirectory
+    type: string
+
+steps:
+  - task: AzureKeyVault@2
+    displayName: 'Get GnuPG signing keys'
+    inputs:
+      azureSubscription: 'OnnxrunTimeCodeSign_20240611'
+      KeyVaultName: 'ort-release'
+      SecretsFilter: 'java-pgp-pwd,java-pgp-key'
+      RunAsPreJob: false
+
+  - task: CmdLine@2
+    displayName: 'Sign jar files: GnuPG and sha256'
+    inputs:
+      workingDirectory: '$(Build.SourcesDirectory)'
+      script: |
+        #!/bin/bash
+        set -ex
+
+        jar_file_directory='${{ parameters.JarFileDirectory }}'
+        working_directory='$(Build.SourcesDirectory)'
+        original_private_key='$(java-pgp-key)'
+        original_passphrase='$(java-pgp-pwd)'
+
+        private_key_file=$working_directory/private_key.txt
+        passphrase_file=$working_directory/passphrase.txt
+
+        echo "Generating GnuPG key files."
+        printf "%s" "$original_private_key" >$private_key_file
+        printf "%s" "$original_passphrase" >$passphrase_file
+        echo "Generated GnuPG key files."
+
+        echo "Importing GnuPG private key file."
+        gpg --batch --import $private_key_file
+        echo "Imported GnuPG private key file."
+
+        for file in $(find $jar_file_directory -type f); do
+            echo "GnuPG signing to file: $file"
+            gpg --pinentry-mode loopback --passphrase-file $passphrase_file -ab $file
+            echo "GnuPG signed to file: $file"
+        done
+
+        for file in $(find $jar_file_directory -type f); do
+            echo "Adding checksum of sha256 to file: $file"
+            sha256sum $file | awk '{print $1}' >$file.sha256
+            echo "Added checksum of sha256 to file: $file"
+        done
+
+        echo "GnuPG and sha256 signing to files completed."
+        echo "Deleting GnuPG key files."
+        rm -f $private_key_file
+        rm -f $passphrase_file
+        echo "Deleted GnuPG key files."
diff --git a/tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-win.yml b/tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-win.yml
@@ -0,0 +1,70 @@
+parameters:
+  - name: JarFileDirectory
+    type: string
+
+steps:
+  - task: AzureKeyVault@2
+    displayName: 'Get GnuPG signing keys'
+    inputs:
+      azureSubscription: 'OnnxrunTimeCodeSign_20240611'
+      KeyVaultName: 'ort-release'
+      SecretsFilter: 'java-pgp-pwd,java-pgp-key'
+      RunAsPreJob: false
+
+  - task: PowerShell@2
+    displayName: 'Sign jar files: GnuPG and sha256'
+    inputs:
+      targetType: 'inline'
+      workingDirectory: '$(Build.SourcesDirectory)'
+      script: |
+        $jar_file_directory = '${{ parameters.JarFileDirectory }}'
+        $working_directory = '$(Build.SourcesDirectory)'
+
+        $original_passphrase='$(java-pgp-pwd)'
+        $original_private_key='$(java-pgp-key)'
+
+        $gpg_exe_path = "C:\Program Files (x86)\gnupg\bin\gpg.exe"
+
+        $passphrase_file = Join-Path -Path $working_directory -ChildPath "passphrase.txt"
+        $private_key_file = Join-Path -Path $working_directory -ChildPath "private_key.txt"
+
+        Write-Host "Generating GnuPG key files."
+        Out-File -FilePath $passphrase_file -InputObject $original_passphrase -NoNewline -Encoding ascii
+        Out-File -FilePath $private_key_file -InputObject $original_private_key -NoNewline -Encoding ascii
+        Write-Host "Generated GnuPG key files."
+
+        Write-Host "Importing GnuPG private key file."
+        & $gpg_exe_path --batch --import $private_key_file
+        if ($lastExitCode -ne 0) {
+            Write-Host -Object "GnuPG importing private key command failed. Exitcode: $exitCode"
+            exit $lastExitCode
+        }
+        Write-Host "Imported GnuPG private key file."
+
+        $targeting_original_files = Get-ChildItem $jar_file_directory -Recurse -Force -File -Name
+        foreach ($file in $targeting_original_files) {
+            $file_path = Join-Path $jar_file_directory -ChildPath $file
+            Write-Host "GnuPG signing to file: "$file_path
+            & $gpg_exe_path --pinentry-mode loopback --passphrase-file $passphrase_file -ab $file_path
+            if ($lastExitCode -ne 0) {
+                Write-Host -Object "GnuPG signing file command failed. Exitcode: $exitCode"
+                exit $lastExitCode
+            }
+            Write-Host "GnuPG signed to file: "$file_path
+        }
+
+        $targeting_asc_files = Get-ChildItem $jar_file_directory -Recurse -Force -File -Name
+        foreach ($file in $targeting_asc_files) {
+            $file_path = Join-Path $jar_file_directory -ChildPath $file
+            Write-Host "Adding checksum of sha256 to file: "$file_path
+            $file_path_sha256 = $file_path + ".sha256"
+            CertUtil -hashfile $file_path SHA256
+            CertUtil -hashfile $file_path SHA256 | find /v `"hash`" | Out-File -FilePath $file_path_sha256
+            Write-Host "Added checksum of sha256 to file: "$file_path
+        }
+
+        Write-Host "GnuPG and sha256 signing to files completed."
+        Write-Host "Deleting GnuPG key files."
+        Remove-Item -Path $passphrase_file
+        Remove-Item -Path $private_key_file
+        Write-Host "Deleted GnuPG key files."